1 New Features and Changes
Unbreakable Enterprise Kernel Release 6 (UEK R6) is a heavily tested and optimized operating system kernel for Oracle Linux 7.7, and later; and Oracle Linux 8.1, and later. The kernel is developed, built, and tested on the 64-bit Arm (aarch64), Intel 64-bit (x86_64), and AMD 64-bit (x86_64) platforms. The kernel is based on the mainline Linux kernel version 5.4. This release also includes updated drivers, as well as bug and security fixes.
Oracle actively monitors upstream check-ins and applies critical bug and security fixes to UEK R6.
UEK R6U3 uses the 5.4.17-2136 version and build of the UEK R6 kernel, which includes security and bug fixes, as well as driver updates.
UEK R6 uses the same versioning model as the mainline Linux kernel version. It is possible that some applications might not understand the 5.4 versioning scheme. However, regular Linux applications are usually neither aware of nor affected by Linux kernel version numbers.
UEK R6 maintains compatibility with the Red Hat Compatible Kernel (RHCK) and does not disable any features that are enabled in RHCK. Additional features are enabled to provide support for key functional requirements and patches are applied to improve performance and optimize the kernel for use on Oracle operating environments.
The kernel's source code is available through a public git source code repository at https://github.com/oracle/linux-uek.
Notable Features and Changes
The following are the major new features and changes that are included in Unbreakable Enterprise Kernel Release 6 Update 3 (UEK R6U3).
Core Kernel Functionality
UEK R6U3 provides core kernel functionality that is equivalent to UEK R6, but is updated to the upstream mainline kernel v5.4.83 release tag and includes upstream LTS bug fixes, with additional patches to enhance existing functionality and provide minor bug fixes and security improvements. All of the key changes are specific to the functionality that is required for Oracle Database and other Oracle software.
WireGuard Communication Protocol
The WireGuard communication protocol uses encrypted virtual private networks (VPNs) by passing traffic over the User Datagram Protocol (UDP).
Note:
WireGuard, which has been enabled in UEK R6 as a technology preview feature since UEK R6U1, is fully supported in UEK R6U3.
WireGuard is a secure, easy-to-use, and faster replacement for the legacy IPsec and OpenVPN tunneling protocols. The feature uses proven cryptography protocols and algorithms to protect data. Although IPsec remains the standard for secure network communication, WireGuard is simpler to configure and deploy. By comparison, its configuration is likened to setting up SSH. These are some of the reasons that administrators are choosing to build new networks with the more modern cryptography that WireGuard uses.
WireGuard uses public key encryption for identification and encryption, while OpenVPN uses certificates for these tasks. With WireGuard, secure key generation and management is handled in the background.
WireGuard uses a server/client mode for its configuration and deployment. Note that you can configure and deploy WireGuard on both IPv4 and IPv6 networks.
To configure and deploy WireGuard, the
wireguard-tools
package must be installed
on the server and client systems, which enables communication
between both hosts.
You can verify that the wireguard-tools
package is installed by using the following command:
$ rpm -qa | grep wireguard
You can verify that the wireguard
kernel
module is present on the system by using the following
command:
$ modinfo wireguard
For more information and step-by-step instructions, see Oracle Linux: Configuring Virtual Private Networks.
vmemmap Reduction Capability for HugeTLB Pages Added
This release includes an enhancement that frees some
vmemmap
pages (pages of struct page
structures) that are associated with each
hugetlbpage
. By removing redundant page
structs for HugeTLB pages, memory can be returned to the buddy
allocator for other uses.
To enable this feature, boot the system by using the
hugetlb_free_vmemmap=on
option. When
enabled, messages similar to the following are displayed
during boot:
HugeTLB: can free 4094 vmemmap pages for hugepages-1048576kB HugeTLB: can free 6 vmemmap pages for hugepages-2048kB
io_uring Asynchronous I/O Framework
Further integration of the io_uring
Asynchronous I/O (AIO) framework has taken place in this
release. io_uring
is a Linux
kernel interface that provides submission and completion queue
rings, which are then shared between the kernel and user space
to avoid copies.
In addition to the more established features that have been
added to the io_uring
framework in this
release, UEK R6U3 also includes the new polled I/O mode
(IORING_SETUP_IOPOLL
) feature, which
provides the following functionality:
-
Standard file control operations:
FALLOCATE
,OPENAT2
,STATX
,MADVISE
,FADVISE
, andTEE
. -
Operations on sockets:
ACCEPT
,CONNECT
,SEND(2)
andRECV(2
) messages, andEPOLL_CTL
. -
Capability for sharing of
io-wq workqueue
(IORING_SETUP_ATTACH_WQ
) from another ring. -
Addition of the
IORING_REGISTER_PROBE
call for probing and receiving information about supported features from theio_uring
framework in the kernel. -
Inclusion of the
SPLICE(2)
call. -
Inclusion of the
IORING_REGISTER_RESTRICTIONS
call, which enables the application to grant access to its file descriptors by untrusted applications or guests. -
IORING_OP_PROVIDE_BUFFERS
call, which uses the buffer registration infrastructure to enable the passing of anaddr
/len
that is associated with a buffer ID and a buffer group ID. -
IORING_BUFFER_SELECT
support for the vectored read calls,RING_OP_READV
andIORING_OP_READVMSG
.
kabi_whitelist Package Renamed kabi_stablelist
The kabi_whitelist
package has been renamed
kabi_stablelist
. This change was made in
accordance with Oracle's commitment to replace problematic and
potentially offensive language.
Note:
A similar renaming has already taken place in the Oracle Linux 8 release.
Nested Virtualization on the AMD Platform
Capability for nested virtualization on the AMD 64-bit (x86_64) platform is enhanced in this release through the implementation of an extensive number of stability fixes.
NVMe Improvements
To accommodate NVMe standards changes, and as the technology continues to evolve and change, ongoing improvements are being made to the Non-Volatile Memory Express (NVMe) feature. Compared to legacy protocols, NVMe provides advanced capability for accessing high-speed storage media.
Along with several bug fixes, this release introduces the NVMe Target Passthru feature. The Target Passthru feature enables you to export an entire NVMe controller through the NVM Express over Fabrics (NVMe-oF) specification. When exported in this manner, versus exporting each namespace as a block device, all NVMe commands are passed to the given controller unmodified, including both administrative commands and Vendor Unique Commands (VUCs). A passthru target exposes all of the namespaces for a given device to the remote host.
New RDMAIP Tracepoints Introduced
In previous releases, the resilient_rdmaip
kernel module used the trace_printk()
function directly for debugging its infrastructure, which
resulted in a banner warning about
trace_printk()
and memory usage that was
not relevant to the resilient_rdmaip
kernel
module.
UEK R6U3 introduces new tracepoints that replace the use of
trace_printk()
for debugging the
resilient_rdmaip
kernel module's
infrastructure.
Each of the following new tracepoints correspond to the three debug levels that are supported by resilient RDMA debug messages:
-
trace_rdma_debug_l1
-
trace_rdma_debug_l2
-
trace_rdma_debug_l3
Secure Boot Enhancement
In this release, Secure Boot has been modified to additionally check the platform keyring, which includes the Machine Owner Key (MOK) list. This enhancement enables third-party and custom key signed modules to be loaded whenever Secure Boot is enabled.
vDPA Implementation on Mellanox ConnectX-6Dx for Oracle Linux
The Virtual Data Path Acceleration (vDPA) framework on the Mellanox ConnectX-6Dx network adapter is improved in this release. The vDPA framework supports emerging technologies such as Single Root I/O Virtualization (SR-IOV) Virtual Function and Mellanox SubFunction, by providing an abstraction and translation layer on top. vDPA uses the Virtio ring layout and places a single, standard Virtio driver in the guest, which is decoupled from the vendor implementation.
In UEK R6U3, notable vDPA improvements include the vDPA
management tool API for orchestration and configuration, vDPA
SubFunction (SF) support for bypassing the PCIe
specification's imposed limit on the number of virtual
functions (VFs) per physical function (PF) that can be
created, and Mellanox mlx5_vdpa
driver
support for doorbell mapping.
vhost and vhost-scsi Performance Improvements
Some performance improvements related to block storage for the
vhost
and vhost-scsi
modules are introduced in this release. In particular, kernel
improvements were made to boost IOPS (input/output operations
per second) for a vhost
SCSI device over
dm-multipath
.
In addition, an improvement was made to enable Qemu to create
multiple vhost
worker threads and map them
to different guest SCSI device virtqueues
.
Integrity Measurement Architecture Default Policy
The Integrity Measurement Architecture (IMA) subsystem, which
has been present in the Linux kernel since the upstream 2.6.30
release, maintains a list of hashes of sensitive files on a
system. This information can prevent the loading of files or
binaries that do not match these hashes. The IMA feature helps
maintain system integrity and also can be used to prevent
modifications to system critical files. A default IMA policy
is set in UEK R6U3 and is also backported in an errata update
for UEK R6U2. The updated policy can be reviewed in
/sys/kernel/security/ima/policy
:
measure func=KEXEC_KERNEL_CHECK measure func=MODULE_CHECK
The default policy measures the kexec
image
and all kernel module binaries. Note that although this
default policy enables the measurement of these items, it does
not define any appraisal policy.
Technology Preview Features
Several features are under investigation and ongoing development for release within UEK R6. The following features are available in UEK R6U3 as a technology preview.
-
Core scheduling
The core scheduling feature that is enabled in the kernel limits trusted tasks to running concurrently on CPU cores that share compute resources. This feature mitigates against certain categories of 'core shared cache' processor bugs that could cause data leakage and other related vulnerabilities. Core scheduling has been enabled in UEK R6 as a technology preview feature since UEK R6U1. This feature is under ongoing, active development.
-
NFS v4.2 server-side copy
NFS v4.2 server-side copy (SSC) functionality is backported from the upstream kernel and has been available in UEK R6 as a technology preview since UEK R6U1. The server-side copy feature provides mechanisms that enable an NFS client to copy file data on a server, or between two servers, without it being transmitted back and forth over the network through the NFS client.
Deprecated Features
The following features are deprecated in this UEK R6 release.
oracleasm Kernel Module Deprecated
The oracleasm
kernel module is deprecated
in this release. Note that although the module continues to
be supported in UEK R6U3, it may be removed in a future
UEK release.
DRBD Deprecated
The DRBD (Distributed Replicated Block Device) kernel
module, and the associated drbd-utils
package, is deprecated with UEK R6U3. The DRBD kernel
module was introduced as a technology preview in UEK R4 and
continues to be enabled in UEK R5 and UEK R6. However,
this module and the drbd-utils
package
may be removed in a future UEK release.
Cisco fnic 1.6 driver Unsupported
Cisco no longer supports the Cisco FCoE HBA Driver
(fnic
1.6) that is sourced from the
upstream kernel and which is available in most kernels,
including UEK R5, UEK R6, and UEK R7. Cisco provides a
fully supported UCS Linux driver (version 2.0.0.83, and
later) that is tested on and compatible with Oracle Linux,
with UEK R5 and later UEK releases, on the Cisco software
download page. The driver package includes features that are
not available in the currently included driver module such
as NVMe support and multi-queue support.
Customers who are running Oracle Linux on Cisco servers must install the Cisco driver package to receive driver fixes, driver updates, new hardware support, and new feature support. Contact Cisco for more information about driver solutions on Oracle Linux.
Driver Updates
The Unbreakable Enterprise Kernel Release 6 supports a large number of hardware devices. In close cooperation with hardware and storage vendors, Oracle has updated several device drivers from the versions in mainline Linux 5.4.
A complete list of the driver modules included in UEK R6, along with version information is provided in the appendix at Driver Modules in Unbreakable Enterprise Kernel Release 6 (x86_64).
The following new features are noted in the drivers that are shipped with UEK R6U3:
-
Broadcom BCM573xx network driver
The Broadcom BCM573xx network driver,
bnxt_en
, is updated to version 1.10.2 in this release. A large number of upstream and vendor supplied patches are included to resolve various bugs and to provide newer features and updates. Notably, PTP functionality is enabled and several improvements for RoCE have been included. -
Cisco FCoE HBA driver
The Cisco FCoE HBA driver,
fnic
, is updated to version 1.6.0.53 in this release. Several upstream patches are included to resolve various bugs. -
Intel Ethernet Connection E800 Series Linux driver
The Intel Ethernet Connection E800 Series Linux driver,
ice
, continues to report as version 0.8.2-k in this release, but includes a large number of vendor supplied patches. This driver is tested against the latest 25 GbE and 100GbE E810 network interface cards. -
Broadcom Emulex LightPulse Fibre Channel SCSI driver
The Broadcom Emulex LightPulse Fibre Channel SCSI driver,
lpfc
, is updated to version 12.8.0.10, with vendor supplied patches and bug fixes. Several patch updates were additionally applied to the NVMe Fibre Channel transport driver,nvme-fc
for improved functionality and to resolve issues identified by the vendor. -
Microsoft Azure Network Adapter driver
The Microsoft Azure Network Adapter driver,
mana
, is included in this release. Upstream and vendor supplied patches are included and the driver is intended for use on Oracle Linux 8. -
MPI3 Storage Controller device driver
The MPI3 Storage Controller device driver,
mpi3mr
, is included in this release at version 00.255.45.01. Upstream and vendor supplied patches are included and the driver is intended to support the next generation of 96XX HBA and RAID controller devices from Broadcom. -
QLogic FastLinQ 4xxxx Core module
The QLogic FastLinQ 4xxxx Core module,
qed
, is updated to version 8.37.0.20 and includes many additional vendor supplied patches, including patches for version 8.42.2.0 firmware. -
QLogic FastLinQ 4xxxx Ethernet driver
The QLogic FastLinQ 4xxxx Ethernet driver,
qede
, is updated to version 8.37.0.20 and includes additional vendor supplied patches. -
QLogic FastLinQ 4xxxx FCoE module
The QLogic FastLinQ 4xxxx FCoE module,
qedf
, is updated to version 8.42.3.0 and includes vendor supplied patches to update this driver in line with upstream changes. -
QLogic FastLinQ 4xxxx iSCSI module
The QLogic FastLinQ 4xxxx iSCSI module,
qedi
, is updated to version 8.37.0.20 and includes vendor supplied patches to update this driver in line with upstream changes. -
QLogic Fibre Channel HBA driver
The QLogic Fibre Channel HBA driver,
qla2xxx
, is updated to version 10.02.00.106-k and includes several vendor supplied patches. -
Microsemi Smart Family Controller driver
The Microsemi Smart Family Controller driver,
smartpqi
, is updated to version 2.1.8-045 and includes several upstream patches. -
pvpanic driver
The
pvpanic
driver, used to trigger events within libvirtd in the event that a guest virtual machine encounters a kernel panic, is updated to include a PCI component to enable this functionality on Arm (aarch64) platforms. Previously, the driver only functioned as an ISA bus device, which limited its use to x86 platforms.
Compatibility
Oracle Linux maintains full user space compatibility with Red Hat Enterprise Linux (RHEL), which is independent of the kernel version that is running underneath the operating system. Existing applications in user space continue to run unmodified on the Unbreakable Enterprise Kernel Release 6 and no re-certifications are needed for RHEL certified applications.
To minimize impact on interoperability during releases, the Oracle Linux team works closely with third-party vendors whose hardware and software have dependencies on kernel modules. The kernel ABI for UEK R6 remains unchanged in all subsequent updates to the initial release. In this release, there are changes to the kernel ABI relative to UEK R5 that require recompilation of third-party kernel modules on the system. Before installing UEK R6, verify its support status with your application vendor.
Notable changes in kernel headers
Upstream changes to kernel headers may mean that third party
modules do not compile across different kernel versions
without modification to source code. Notably, the
memcg_cache_params
structure has been moved
from include/linux/slab.h
to
mm/slab.h
. This means that code needs to be
refactored to account for the change if you are compiling
across kernel versions.
To solve this problem, so that the code can compile for both UEK R5 and UEK R6, change header requirements in the source code. For example, change lines like those in the following example to what is shown in the second example:
#ifdef CONFIG_SLUB #include <linux/slub_def.h> #endif
#if ( LINUX_VERSION_CODE < KERNEL_VERSION(5,4,0) ) #ifdef CONFIG_SLUB #include <linux/slub_def.h> #endif #endif
Certification of UEK R6 for Oracle products
Note that the certification of different Oracle products on UEK R6 may not be immediately available at the time of a UEK R6 release. You should always check to ensure that the product you are using is certified for use on UEK R6 before upgrading or installing the kernel. Check certification at https://support.oracle.com/epmos/faces/CertifyHome.
Oracle Automatic Storage Management Cluster File System (Oracle ACFS) certification for different kernel versions is described in Document ID 1369107.1, which is available at https://support.oracle.com/epmos/faces/DocumentDisplay?id=1369107.1.
Oracle Automatic Storage Management Filter Driver (Oracle ASMFD) certification for different kernel versions is described in Document ID 2034681.1, which is available at https://support.oracle.com/epmos/faces/DocumentDisplay?id=2034681.1.